Joe Calandrino will present his preFPO on Friday April 8 at 4PM in Room 402. The members
of
his committee are: Ed Felten, advisor; Andrew Appel and Jen Rexford, readers; Brian
Kernighan
and David Walker, nonreaders. Everyone is invited to attend his talk. His abstract
follow below.
-------------------------------
Title: Control of Sensitive Data in Systems with Novel Functionality
Abstract:
Advances in computer science have enabled analysis of data in ways
previously unthinkable. This has led to powerful new uses of data,
often with positive results. For systems utilizing sensitive data,
however, an adversary's ability to scrutinize revealed output for
sensitive details has also increased. The threat is particularly great
for systems with novel functionality. Novel uses of data are often
accompanied by implicit assumptions. As a result, exposure of seemingly
innocuous information may reveal underlying sensitive data in unexpected
new ways. We study this issue in the context of three diverse cases.
The first case that we consider is fill-in-the-bubble forms, which are
used in a variety of situations where protection or confirmation of
identity is critical. Although bubble-form surveys, elections ballots,
or standardized test forms are often treated as anonymous, we
demonstrate that individuals complete bubbles in a distinctive manner,
allowing de-anonymization. Second, we consider collaborative filtering
recommender systems, which often use sensitive transactions to infer
relationships between items. We show that an attacker can exploit
dynamic changes in recommendations to infer individual underlying
transactions. Finally, we explore the use of machines and algorithms in
election auditing to ensure an accurate election outcome efficiently
without compromising ballot secrecy or trusting voting machines. Each
case employs sensitive data in unique ways, yielding unique vectors for
data leakage.
For systems utilizing sensitive data in novel ways, developers must
carefully assess the relationship between that data and the system's
output. Undesirable inferences frequently stem from unstated or
untested assumptions that no meaningful link exists. Careful evaluation
can make these assumptions explicit and address them before releasing
data to potential adversaries.